Table editor allows to execute javascript in FF - Githubissues

Tradeshift / tradeshift-ui

The Tradeshift UI Library & Framework

https://ui.tradeshift.com

Other

33 stars 45 forks source link

Table editor allows to execute javascript in FF #273

Closed akarnachuk closed 7 years ago

akarnachuk commented 7 years ago

Bug report

Table editor allows to execute javascript code. When I paste the following code

</textarea><svg/onload="alert('Qasuar')">

into table editor and press enter I'm getting alert. (see https://tradeshift.atlassian.net/browse/HACK-273)

Tradeshift UI version affected

v8.0.2

Expected Behavior

No javascript should be executed

Actual Behavior

Javascript is allowed to be executed

Steps to reproduce

This was reproduced on Firefox 53.0.2 (64-bit) and not reproduces in Chrome.

Screenshots (optional)

wiredearp commented 7 years ago

:beer: Good find! Thanks for reporting.